Welcome to Honeypot Discussions Part 1. There will be three part of article about honeypots. As here, in the first article we will be discussing about what is a honeypot and how it works. Secondly we will be discussing about honeypot types. And in the last article we will be building and testing a honeynet environment.
In order to protect the systems, the structure that presents itself as a real system in connections that may come directly to the attack surfaces and creates security mechanisms that can be located either in the internal network or in the external network, which hosts various services in this direction, is called a honeypot.
Like its own dictionary meanings, honeypots actually work with the metaphor mentality as it contains. In real life, bears love honey and will try anything to get it as soon as they sense its presence. For this reason, people place some honeypots outside the fence where the bear can easily reach. By this way it is possible to prevent the bears from destroying all the hives. In this way, the bear gets away from there without going behind the fence in a way that will feed its stomach and harm other honey hives.
In information systems, there is a similar relationship between bears and honeypots. The attacker, who thinks that he is in a real system, tries all possible attack scenarios on this system and fails to achieve anything, most of the time he walks away from the system. Of course, that may not always be the case. Therefore, honeypots should be placed carefully. The attacker in here is actually an automated chain of attacks, often consisting of malicious bots. From time to time, the attacker may actively try to log into the system directly with the tools he manages. In such cases, it may realize that the system is a honeypot and immediately move away, or worse, he/she may try to enter the system, bypassing the honeypot by making attack moves in this direction. For this reason, if the honeypots are located on DMZ, they should be set carefully.
Honeypots are a well-known cybersecurity mechanism for detecting and countering attacks by attackers. When the attacker tries to access this fake and confidential data, the honeypot notifies the system administrators about these attempts.
A honeypot also collects and analyzes information about hacking attempts. Basically, the honeypot is a security framework that is explicitly made to attract various hacking shorts. They work in another victim lure, in which the attackers emulate themselves so that they can attack them in the first place. While these frameworks empower to distinguish between virus attacks and interruptions at the outset, they also prevent these attacks from reaching the real sources. As like here, honeypots can be used as a security effort. An average honeypot consists of two parts; a vulnerability emulation framework and a monitoring tool, it is used to make attackers feel that the identified scope is a weakness they can take care of. Therefore, the watchdog will advise you when attackers are trapped and try to exploit the vulnerability you have exposed.
Although a new tool, honeypots cannot replace the different devices used in cybersecurity. After trying to measure the ease of use of such a tool in cyber attacks, its intensity can be looked at as far as prevention, identification and intervention:
• Counter-response or prevention is an action that makes it increasingly difficult and less rewarding for attackers to breach the framework.
• Detection is the procedure for recognizing an attack and its effects on the framework in an environment of confidentiality, dignity and usefulness.
• Response is the procedure to recover from the attack. The best results should strengthen prevention and detection capacities as well as limit misfortunes.
In any case, the honeypot holds exceptional value when worrying about distinguishing attacks. The currently used Intrusion Prevention System (IPS) or Intrusion Detection Systems (IDS) are designed to distinguish attacks against production frameworks that can generate numerous false/positive occurrences as the attack is incredibly difficult to detect amid real traffic fluctuation. Honeypots, then, do not contain any real traffic. This helps distinguish attacks while treating all traffic as malicious. Reaction or reaction is a region where honeypots have the most significant potential. In order to effectively recover from an attack and strengthen our ability to counter and identify it, it is necessary to see the attack first. Using this device, the honeypot can examine the ways to produce the attack, create misused vulnerabilities and find the damage done, also the honeypot information is not flooded with real traffic.
Working Principle Of Honeypots
In general, a honeypot appears to be a part of the network it is connected to, as it consists of a computer, applications, and data that simulates the behavior of a real system that might be attractive to attackers, such as a financial system, internet of things (IoT) devices, a utility or transportation network. But in reality it is isolated and closely watched. Since there is no reason for legitimate users to access a honeypot, contact attempts which are not considered in good faith.
Honeypots are usually placed in the DMZ (demilitarized zone). Despite being isolated from the main network with this approach, they still remain a part of the network. Thanks to a honeypot in the DMZ, attackers can be monitored remotely while accessing it, thus minimizing the risk of mainnet breach.
Honeypots can also be placed outside the internet facing external firewall to detect attempts to enter the internal network. The exact placement of the honeypot varies depending on how detailed it is, the traffic it aims to attract, and how close it is to sensitive resources within the corporate network. Whatever the placement, it must always be isolated from the main environment of the institution.
Monitoring and logging activity in the honeypot provides information about the level and types of threats a network infrastructure faces, while distracting attackers from assets of real value. However, it is still an issue that needs attention; cybercriminals can seize honeypots and use them against the organization itself.
Virtual machines (VMs) are often used to host honeypots. That way, if they are hijacked by malware, for example, the honeypot can be quickly restored. Two or more honeypots in a network form a honey network structure.
Both open source and commercial options are available to help deploy and manage honeypots. These include standalone honeypot systems and honeypots packaged with other security software and marketed as deception technology. GitHub has an extensive list of honeypots that can help beginners get an idea of how honeypots are used.
Although there are different types of honeypots according to the purpose of use. The reasons for creating them are generally to ensure that the attacker loses time on the target and stays away from real servers and systems. In addition, it provides access to very useful data that will enable the analysis of the methods used by the attackers. It provides access to these data not only as attack method and attack vector, but also with reverse engineering methods such as IoC, Yara rules, hash values.
Since it is possible to reduce the load on the attack surface and confuse the target by installing a honeypot directly on the external network, it is possible to catch unwanted e-mails with traps working with this logic and the IP addresses, URL information and hash values obtained in this direction can be used as threat intelligence. Since there will be e-mail addresses that can be obtained by google researches using automated tools, not real users’ e-mails, before working in this direction, it should be planned what can be obtained about the institution on the internet by using tools such as “theHarvester” and how to create a feed in parallel with this data.
It is also possible to detect an attacker who has infiltrated or is assumed to have infiltrated your network by creating a honeypot service or network within your local network. Such proactive approaches also enable the detection of malicious employees who are curious about unauthorized data and try to access this sensitive data, although they are authorized.
We will discuss honeypot types in the next article of this series, which is detailed on honeypot and benefited from many internet resources.
